CVE-2026-45157 nextcloud CVE debrief

Who should care

Nextcloud Server administrators, security teams managing content collaboration platforms, and organizations relying on Nextcloud for sensitive file sharing operations

Technical summary

The vulnerability exists in Nextcloud Server's chunking upload implementation where share tokens, normally restricted to file download/access operations, could be reused to authenticate against the chunking upload endpoint. This allowed an attacker with legitimate share access to enumerate temporary part files (.part) during active uploads by other users, exposing file metadata and partial content. The fix implemented in the referenced pull request adds authorization checks to ensure share tokens cannot access upload chunking endpoints. The attack requires network access, low attack complexity, legitimate user privileges (share recipient), and user interaction, with no availability impact but high confidentiality impact and low integrity impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade Nextcloud Server to version 32.0.9 or 33.0.3, or apply the corresponding Enterprise Server patch version applicable to your release track
• Review share token permissions and validate that file share access does not extend to upload chunking endpoints
• Monitor for unauthorized access to temporary part files in upload directories
• Validate that WebDAV chunking endpoints enforce proper authorization boundaries independent of share tokens

Evidence notes

The CVE description confirms affected version ranges and remediation paths. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N) supports the 6.3 medium severity rating with high confidentiality impact. The GitHub Security Advisory and HackerOne report provide vendor-confirmed technical details. The pull request reference indicates code-level remediation.

Official resources